[Congressional Record Volume 149, Number 15 (Tuesday, January 28, 2003)]
[Senate]
[Pages S1675-S1677]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mrs. FEINSTEIN (for herself, Mr. Grassley, Mr. Corzine, and 
        Mr. Gregg):
  S. 223. A bill to prevent identity theft, and for other purposes; to 
the Committee on Banking, Housing, and Urban Affairs.
  Mrs. FEINSTEIN. Mr. President, I rise, along with Senator Grassley, 
Senator Corzine, and Senator Gregg to introduce the Identity Theft 
Prevention Act.
  This bill addresses the growing tide of identity theft cases by 
requiring banks, credit bureaus, and other financial institutions to 
take some practical steps to protect sensitive personal information.
  What is identity theft? Identity theft occurs when one person uses 
another person's Social Security number, birth date, driver's license 
number, or other identifying information to obtain credit cards, car 
loans, phone plans or other services in the victim's name.
  The criminal literally assumes the identity of the victim for illicit 
gain.
  Identity theft has become the number one white collar crime of the 
new millennium, and Congress needs to make a major effort to protect 
Americans' personal information.
  Hundreds of thousands of Americans are victimized by identity theft 
each year.
  The personal losses as a result of these crimes are major. The 
average financial loss from an identity theft case is $17,000 and it 
takes a typical victim 18 months to restore his or her good credit.
  In some cases, victims are falsely saddled with criminal records or 
are denied loans and other valuable financial services.
  Identity theft is frighteningly easy to commit. One of my 
constituents, Kim Bradbury of Castro Valley, knows this too well. Kim 
reported that an identity thief obtained a credit card in her name 
through the Internet in less than 60 seconds. The false application 
only had her Social Security number and birth date correct.
  Kim only found out she was an identity theft victim when a 
representative of a telemarketing company called her at home while she 
was feeding her one-year child. The representative told her that 
someone with a different address had applied for a credit card in Kim's 
name.
  In Kim's case, it appears that her Social Security number was stolen 
by a fellow employee who also had stolen the identities of several 
dozen company employees. The thief ultimately stole over $100,000 in 
merchandise, including 20 cell phone accounts, via identity fraud.
  All indicators suggest that the crime continues to grow at an 
alarming rate.
  Just two months ago, Federal prosecutors announced the largest single 
identity theft case in U.S. history. Three individuals allegedly sold 
the credit and personal information of 30,000 people.
  At one national credit reporting agency, consumers requested 53 
percent more fraud alerts in fiscal year 2001 than fiscal year 2000.
  As of December 2001, the Federal Trade Commission, FTC, Identity 
Theft Clearinghouse averaged more than 3,000 call-ins per week, a 
seven-fold increase since the clearinghouse began operation in November 
1999.
  The Identity Theft Prevention Act offers a series of practical steps 
to cut-off criminal access to sensitive consumer data.
  No. 1, Credit card number truncation on receipts: first, the Identity 
Theft Prevention Act would require all new credit-card machines to 
truncate any credit card number printed on a customer receipt.
  Thus, when a store gives a customer a receipt from a credit card 
purchase, only the last five digits of the credit card number will 
show.
  This prevents identity thieves from stealing credit card numbers by 
retrieving discarded receipts.

[[Page S1676]]

  Existing machines would have to be reprogrammed to truncate credit 
card numbers on receipts within four years after enactment of the 
legislation.
  No. 2, Fraud alerts: the bill would give the Federal Trade Commission 
the authority to impose a fine on credit issuers who issue new credit 
to identity thieves despite the presence of a fraud alert on the 
consumer's credit file.
  Too many credit card issuers are granting new cards without 
adequately verifying the identity of the applicant. Putting some teeth 
into fraud alerts will curb irresponsible granting of credit.
  No. 3, Free credit reports: third, the legislation would entitle each 
consumer to one free credit report per year. Currently six States, 
Colorado, Georgia, Maryland, Massachusetts, New Jersey, and Vermont, 
have laws entitling consumers to one free credit report per year from 
the national credit bureaus.
  According to identity theft victim advocates, identity theft is 
detected much earlier if consumers actively monitor their credit files. 
The cost of credit reports is a major obstacle to their use by 
consumers.
  No. 4, Change of address: finally, the bill requires a credit card 
company to notify consumers when an additional credit card is requested 
on an existing credit account within 30 days of an address change 
request.
  This provision addresses a common method of identity fraud where a 
criminal steals an individual's credit card number, and then obtains a 
duplicate card by informing the issuer of a change of address.
  The Identity Theft Prevention Act requires financial institutions to 
implement needed precautions to prevent identity fraud and protect a 
person's good name.
  Verifying a credit applicant's address, complying with ``fraud 
alerts'', and truncating credit numbers on receipts are all measures 
that will make it harder for criminals to engage in identity fraud.
  It is appropriate and necessary for financial institutions to take 
these steps. These companies have a responsibility to prevent 
fraudsters from using their services to harm the good name of other 
citizens.
  Morever, in this complex, information-driven society, consumers 
simply can't protect their good name on their own.
  I strongly believe this legislation will provide desperately needed 
tools to combat identity theft, and I look forward to working with my 
colleagues to secure its passage.
  I ask unanimous consent that the text of this legislation be printed 
in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                 S. 223

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Identity Theft Prevention 
     Act''.

     SEC. 2. FINDINGS.

       Congress finds that--
       (1) the crime of identity theft has become one of the major 
     law enforcement challenges of the new economy, as vast 
     quantities of sensitive, personal information are now 
     vulnerable to criminal interception and misuse;
       (2) in November 2002, Americans were alerted to the dangers 
     of identity theft when Federal prosecutors announced that 3 
     individuals had allegedly sold the credit and personal 
     information of 30,000 people, the largest single identity 
     theft case in United States history;
       (3) hundreds of thousands of Americans are victims of 
     identity theft each year, resulting in an annual cost to 
     industry of more than $3,500,000,000.
       (4) several indicators reveal that despite increased public 
     awareness of the crime, the number of incidents of identity 
     theft continues to rise;
       (5) in December 2001, the Federal Trade Commission received 
     an average of more than 3,000 identity theft calls per week, 
     a 700 percent increase since the Identity Theft Data 
     Clearinghouse began operation in November 1999;
       (6) allegations of social security number fraud increased 
     by 500 percent between 1998 and 2001, from 11,000 to 65,000;
       (7) a national credit reporting agency reported that 
     consumer requests for fraud alerts increased by 53 percent 
     during fiscal year 2001;
       (8) identity theft violates the privacy of American 
     citizens and ruins their good names;
       (9) victims of identity theft may suffer restricted access 
     to credit and diminished employment opportunities, and may 
     spend years repairing the damage to credit histories caused 
     by identity theft;
       (10) businesses and government agencies that handle 
     sensitive personal information of consumers have a 
     responsibility to protect this information from identity 
     thieves; and
       (11) the private sector can better protect consumers by 
     implementing effective fraud alerts, affording greater 
     consumer access to credit reports, truncating of credit card 
     numbers, and establishing other prevention measures.

     SEC. 3. IDENTITY THEFT PREVENTION.

       (a) Changes of Address.--
       (1) Duty of issuers of credit.--Section 132 of the Truth in 
     Lending Act (15 U.S.C. 1642) is amended--
       (A) by inserting ``(a) In General.--'' before ``No 
     credit''; and
       (B) by adding at the end the following:
       ``(b) Confirmation of Changes of Address.--If a card issuer 
     receives a request for an additional credit card with respect 
     to an existing credit account not later than 30 days after 
     receiving notification of a change of address for that 
     account, the card issuer shall--
       ``(1) not later than 5 days after sending the additional 
     card to the new address, notify the cardholder of the request 
     at both the new address and the former address; and
       ``(2) provide to the cardholder a means of promptly 
     reporting incorrect changes.''.
       (2) Enforcement.--
       (A) Federal trade commission.--Except as provided in 
     subparagraph (B), compliance with section 132(b) of the Truth 
     in Lending Act (as added by this subsection) shall be 
     enforced by the Federal Trade Commission in the same manner 
     and with the same power and authority as the Commission has 
     under the Fair Debt Collection Practices Act to enforce 
     compliance with that Act.
       (B) Other agencies in certain cases.--
       (i) In general.--Compliance with section 132(b) of the 
     Truth in Lending Act shall be enforced under--

       (I) section 8 of the Federal Deposit Insurance Act, in the 
     case of a card issuer that is--

       (aa) a national bank or a Federal branch or Federal agency 
     of a foreign bank, by the Office of the Comptroller of the 
     Currency;
       (bb) a member bank of the Federal Reserve System (other 
     than a national bank), a branch or agency of a foreign bank 
     (other than a Federal branch, Federal agency, or insured 
     State branch of a foreign bank), a commercial lending company 
     owned or controlled by a foreign bank, or an organization 
     operating under section 25 or 25A of the Federal Reserve Act, 
     by the Board of Governors of the Federal Reserve System;
       (cc) a bank insured by the Federal Deposit Insurance 
     Corporation (other than a member of the Federal Reserve 
     System or a national nonmember bank) or an insured State 
     branch of a foreign bank, by the Board of Directors of the 
     Federal Deposit Insurance Corporation; and
       (dd) a savings association, the deposits of which are 
     insured by the Federal Deposit Insurance Corporation, by the 
     Director of the Office of Thrift Supervision; and

       (II) the Federal Credit Union Act, by the Administrator of 
     the National Credit Union Administration in the case of a 
     card issuer that is a Federal credit union, as defined in 
     that Act.

       (C) Violations treated as violations of other laws.--
       (i) In general.--For the purpose of the exercise by any 
     agency referred to in this paragraph of its powers under any 
     Act referred to in this paragraph, a violation of section 
     132(b) of the Truth in Lending Act (as added by this 
     subsection) shall be deemed to be a violation of a 
     requirement imposed under that Act.
       (ii) Agency authority.--In addition to its powers under any 
     provision of law specifically referred to in subparagraph (A) 
     or (B), each of the agencies referred to in those 
     subparagraphs may exercise, for the purpose of enforcing 
     compliance with section 132(b) of the Truth in Lending Act, 
     any other authority conferred on such agency by law.
       (b) Fraud Alerts.--Section 605 of the Fair Credit Reporting 
     Act (15 U.S.C. 1681c) is amended by adding at the end the 
     following:
       ``(g) Fraud Alerts.--
       ``(1) Defined term.--In this subsection, the term `fraud 
     alert' means a statement in the file of a consumer that 
     notifies all prospective users of a consumer report made with 
     respect to that consumer that--
       ``(A) the consumer's identity may have been used, without 
     the consumer's consent, to fraudulently obtain goods or 
     services in the consumer's name; and
       ``(B) the consumer does not authorize the issuance or 
     extension of credit in the name of the consumer unless the 
     issuer of such credit--
       ``(i) obtains express preauthorization from the consumer at 
     a telephone number designated by the consumer; or
       ``(ii) utilizes another reasonable means of communications 
     to obtain the express preauthorization of the consumer.
       ``(2) Inclusion of fraud alert in consumer file.--Upon the 
     request of a consumer and upon receiving proper 
     identification, a consumer reporting agency shall include a 
     fraud alert in the file of that consumer.
       ``(3) Notice sent by consumer reporting agencies.--A 
     consumer reporting agency shall notify each person procuring 
     consumer credit information with respect to a consumer of the 
     existence of a fraud alert in the file of that consumer, 
     regardless of whether

[[Page S1677]]

     a full credit report, credit score, or summary report is 
     requested.
       ``(4) Procedures to receive fraud alerts.--Any person who 
     uses a consumer credit report in connection with a credit 
     transaction shall establish reasonable procedures to receive 
     fraud alerts transmitted by consumer reporting agencies.
       ``(5) Violations.--
       ``(A) Consumer reporting agency.--Any consumer reporting 
     agency that fails to notify any user of a consumer credit 
     report of the existence of a fraud alert in that report shall 
     be in violation of this section.
       ``(B) User of a consumer report.--Any user of a consumer 
     report that fails to comply with preauthorization procedures 
     contained in a fraud alert and issues or extends credit in 
     the name of the consumer to a person other than the consumer 
     shall be in violation of this section.
       ``(6) Exceptions.--
       ``(A) Resellers.--
       ``(i) In general.--The provisions of this subsection do not 
     apply to a consumer reporting agency that acts as a reseller 
     of information by assembling and merging information 
     contained in the database of another consumer reporting 
     agency or multiple consumer reporting agencies, and does not 
     maintain a permanent database of the assembled or merged 
     information from which new consumer reports are produced.
       ``(ii) Limitation.--A reseller of assembled or merged 
     information shall preserve any fraud alert placed on a 
     consumer report by another consumer reporting agency.
       ``(B) Exempt institutions.--The requirement under this 
     subsection to place a fraud alert in a consumer file shall 
     not apply to--
       ``(i) a check services company, which issues authorizations 
     for the purpose of approving or processing negotiable 
     instruments, electronic funds transfers, or similar methods 
     of payments; or
       ``(ii) a demand deposit account information service 
     company, which issues reports regarding account closures due 
     to fraud, substantial overdrafts, ATM abuse, or similar 
     negative information regarding a consumer, to inquiring banks 
     or other financial institutions for use only in reviewing a 
     consumer request for a demand deposit account at the 
     inquiring bank or financial institution.''.

     SEC. 4. TRUNCATION OF CREDIT CARD ACCOUNT NUMBERS.

       (a) In General.--Except as provided in this section, no 
     person, firm, partnership, association, corporation, or 
     limited liability company that accepts credit cards for the 
     transaction of business shall print more than the last 5 
     digits of the credit card account number or the expiration 
     date upon any receipt provided to the cardholder.
       (b) Limitation.--This section--
       (1) applies only to receipts that are electronically 
     printed; and
       (2) does not apply to transactions in which the sole means 
     of recording the cardholder's credit card account number is 
     by handwriting or by an imprint or copy of the credit card.
       (c) Effective Date.--This section shall take effect--
       (1) on the date that is 4 years after the date of enactment 
     of this Act, with respect to any cash register or other 
     machine or device that electronically prints receipts for 
     credit card transactions that is in use prior to the date of 
     enactment of this Act; and
       (2) on the date that is 18 months after the date of 
     enactment of this Act, with respect to any cash register or 
     other machine or device that electronically prints receipts 
     for credit card transactions that is first put into use on or 
     after the date of enactment of this Act.
       (d) Effect on State Law.--Nothing in this section prevents 
     a State from imposing requirements that are the same or 
     substantially similar to the requirements of this section at 
     any time before the effective date of this section.

     SEC. 5. FREE ANNUAL CREDIT REPORT.

       Section 612(c) of the Fair Credit Reporting Act (15 U.S.C. 
     1681j(c)) is amended to read as follows:
       ``(c) Free Annual Disclosure.--Upon the request of the 
     consumer and without charge to the consumer, a consumer 
     reporting agency shall make all the disclosures listed under 
     section 609 once during any 12-month period.''.
                                 ______